By Policy Focus

Drawing upon decades of experience, RAND provides research services, systematic analysis, and innovative thinking to a global clientele that includes government agencies, foundations, and private-sector firms.

About RAND Research

The Pardee RAND Graduate School (PRGS.edu) is the largest public policy analysis Ph.D. program in the nation and the only program based at an independent public policy research organization—the RAND Corporation.

Download eBook for Free

Full Document

Summary Only

Research Questions

What are the fundamental characteristics of black and gray markets for hackers?

How did they grow into their current state? What direction do they appear to be heading?

How can the existence of these markets harm the information security environment?

Abstract

Criminal activities in cyberspace are increasingly facilitated by burgeoning black markets for both tools (e.g., exploit kits) and take (e.g., credit card information). This report, part of a multiphase study on the future security environment, describes the fundamental characteristics of these markets and how they have grown into their current state to explain how their existence can harm the information security environment. Understanding the current and predicted landscape for these markets lays the groundwork for follow-on exploration of options to minimize the potentially harmful influence these markets impart. Experts agree that the coming years will bring more activity in darknets, more use of crypto-currencies, greater anonymity capabilities in malware, and more attention to encrypting and protecting communications and transactions; that the ability to stage cyberattacks will likely outpace the ability to defend against them; that crime will increasingly have a networked or cyber component, creating a wider range of opportunities for black markets; and that there will be more hacking for hire, as-a-service offerings, and brokers. Experts disagree, however, on who will be most affected by the growth of the black market (e.g., small or large businesses, individuals), what products will be on the rise (e.g., fungible goods, such as data records and credit card information; non-fungible goods, such as intellectual property), or which types of attacks will be most prevalent (e.g., persistent, targeted attacks; opportunistic, mass "smash-and-grab" attacks).

Key Findings

The Hacking Community and Cyber Black Markets Are Growing and Maturing

The cyber black market has evolved from a varied landscape of discrete, ad hoc individuals into a network of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states.

The cyber black market does not differ much from a traditional market or other typical criminal enterprises; participants communicate through various channels, place their orders, and get products.

Its evolution mirrors the normal evolution of markets with both innovation and growth.

For many, the cyber black market can be more profitable than the illegal drug trade.

These Cyber Black Markets Respond to Outside Forces

As suspicion and "paranoia" spike because of an increase in recent takedowns, more transactions move to darknets; stronger vetting takes place; and greater encryption, obfuscation, and anonymization techniques are employed, restricting access to the most sophisticated parts of the black market.

The proliferation of as-a-service and point-and-click interfaces lowers the cost to enter the market.

Law enforcement efforts are improving as more individuals are technologically savvy; suspects are going after bigger targets, and thus are attracting more attention; and more crimes involve a digital component, giving law enforcement more opportunities to encounter crime in cyberspace.

Still, the cyber black market remains resilient and is growing at an accelerated pace, continually getting more creative and innovative as defenses get stronger, law enforcement gets more sophisticated, and new exploitable technologies and connections appear in the world.

Products can be highly customized, and players tend to be extremely specialized.

Recommendations

Explore how computer security and defense companies could shift their approaches to thwarting attackers and attacks.

Explore how bug bounty programs or better pay and incentives from legitimate companies might shift transactions and talent off the illicit markets into legitimate business operations.

Explore the costs and benefits of establishing fake credit card shops, fake forums, and sites to increase the number and quality of arrests, and otherwise tarnish the reputation of black markets.

Explore the ramifications of hacking back, or including an offensive component within law enforcement that denies, degrades, or disrupts black-market business operations.

Explore the options for banks or merchants to buy back their customers' stolen data.

Explore the effects of implementing mandates for encryption on point-of-sale terminals, safer and stronger storage of passwords and user credentials, worldwide implementation of chips and PINs, and regular checks of websites to prevent common vulnerabilities put a dent in the black market, or enforce significant changes to how the market operates.

Explore how to apply lessons learned from the black market for drugs or arms merchants to the black market for cybercrime.

Determine whether it is more effective for law enforcement to go after the small number of top-tier operators or the lower- or open-tier participants.

Examine whether governments and law enforcement worldwide could work together to persecute and extradite when appropriate, and coordinate for physical arrests and indictments.

This report is part of the RAND Corporation research report series. RAND reports present research findings and objective analysis that address the challenges facing the public and private sectors. All RAND reports undergo rigorous peer review to ensure high standards for research quality and objectivity.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.

About

The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest.